ITD + ASA 5585-X Configuration Guide

ITD + ASA 5585-X Configuration Guide
Don Garnett Mouli Vytla Revision 1.4

Document revision updates
19-August 2015 (version 1.4) – Don Garnett Changes: Updated topology diagrams with 2015 PPT icons Added logical views Added ASA Clustering section Added information regarding L3 over VPC, peer VDC, other optional parameters Added optional ITD parameters Information regarding Device Group options such as HA config options will be added soon. 21-November-2014 (version 1.3) – Mouli Vytla Added dual-VDC (non-VPC) Sandwich mode configuration for ASA + ITD 23-June-2014 (version 1.2) – Don Garnett Removed Static Routes configuration from N7K –not needed Removed VIPs from ITD Processes –not needed Revised Auto-Configuration and Verification Sections to reflect configuration output without VIPs in place

N7K ITD and ASA Deployment Methods
ITD with Firewall on a Stick (One Arm) This design uses a single VDC with a single 802.1q interface (or .1q port-channel) connecting to the ASAs. The ASAs do traffic filtering and Inter-Vlan routing by means of splitting the single interface into sub-interfaces. ITD with Single VDC (Two Arm) This design uses a single VDC with 2 separate (access or trunk) interfaces connecting to the ASAs. The ASAs filter traffic traversing the 2 interfaces. Traffic is segregated on the switch by VRFs to ensure traffic is inspected by the firewalls. ITD with Dual VDC Sandwich This design leverages 2 VDCs, each with an interface connecting to the ASAs. The ASAs filter traffic traversing the 2 VDCs. This design could also be used with separate N7K switches instead of VDCs if desired. ITD with Dual VDC (vPC) Sandwich This design leverages 2 VDCs, each with an interface connecting to the ASAs. The ASAs filter traffic traversing the 2 VDCs. This design could also be used with separate N7K switches instead of VDCs if desired. Two N7k switches are deployed in vPC mode Cluster Deployments Cluster deployments can encompass any of the above methods. VPC Peers with Dual VDC Sandwich is demonstrated in this document.

Firewall on a Stick Topology
Single VDC Firewall on a Stick Topology Logical separation of traffic across ASA interfaces using 802.1q tagging

Single VDC ‘Firewall on a Stick’ Topology
NXOS GBR 7.2 L3 Over VPC Logical View Firewall Sub-Interfaces Outside Port-Channel VLAN 100 VRF Outside – 114/24 Inside Port-Channel VLAN 101 – 114/24 Outside Inside ASA1 ASA2 ASA3 ASA4 .111 .112 .113 .114 NX Transit Interfaces SVI VLAN 100 – VRF FW_OUTSIDE Vl101 – NX Transit Interfaces SVI VLAN 100 – VRF FW_OUTSIDE SVI VLAN 101 – VPC trunks connect to each firewall Sw1 DC1-N7K-7 VPC Peer Link Sw2 DC1-N7K-8 SVI VLAN 1100 – (HSRP) VRF FW_OUTSIDE SVI VLAN 1101 – (HSRP) NX ITD Ingress Interfaces NX ITD Ingress Interfaces SVI VLAN 1100 – (HSRP) VRF FW_OUTSIDE SVI VLAN 1101 – (HSRP) ITD ITD

NXOS – 7.1 Outside TenGigabitEthernet0/6.100 VLAN 100 VRF Outside – 114/24 Inside TenGigabitEthernet0/6.101 VLAN 101 – 114/24 Non-VPC port-channels can also be used Firewall Sub-Interfaces Logical View Outside Inside ASA1 ASA2 ASA3 ASA4 .111 .112 .113 .114 NX Transit Interfaces SVI VLAN 100 – VRF FW_OUTSIDE SVI VLAN 101 – Single trunk interface connects to each firewall SVI VLAN 100 – VRF FW_OUTSIDE Vl101 – NX Transit Interfaces Sw1 DC1-N7K-7 VPC Peer Link Sw2 DC1-N7K-8 SVI VLAN 1100 – (HSRP) VRF FW_OUTSIDE SVI VLAN 1101 – (HSRP) NX ITD Ingress Interfaces ITD ITD SVI VLAN 1100 – (HSRP) VRF FW_OUTSIDE SVI VLAN 1101 – (HSRP) NX ITD Ingress Interfaces

Logical View VLAN 1100 ITD VLAN 100 Single VDC VLAN + VRF Separation VRF Red – Outside VRF Blue - Inside VLAN 101 ITD VLAN 1101

Configuration Steps – Nexus 7000
Enable Features Enable L2 Vlans to be used in the topology Configure VPC between local and peer switch –Optional - Enable L3 Over VPC feature (NXOS 7.2+ only) Create VRF(s) needed for ITD process Configure (physical/logical) transit switch interfaces connecting to firewalls Inside and Outside interfaces Configure ITD Ingress interfaces that connect to downstream network infrastructure Define ITD Device Groups and Health Probe parameters Configure ITD service and mandatory parameters Enabled optional ITD features Configuration steps are shown using NXOS 7.2+ topology

1. Enable Features feature pbr feature interface-vlan feature hsrp #optional feature lacp #optional feature vpc #optional feature sla sender feature sla responder feature itd 2. Enable L2 Vlans used in topology vlan 1, ,

3. Configure VPC between local and peer switch. Enable L3 Over VPC (NXOS 7.2+ only) –Optional vrf context vpc-keepalive vpc domain 1 peer-keepalive destination source vrf vpc-keepalive peer-gateway layer3 peer-router ipv6 nd synchronize ip arp synchronize interface port-channel1 description - VPC PEER LINK switchport switchport mode trunk spanning-tree port type network vpc peer-link interface Ethernet1/1 description - VPC KEEP-ALIVE LINK vrf member vpc-keepalive ip address /24 no shutdown interface Ethernet1/2-3 channel-group 1 mode active

4. Create VRF(s) needed for ITD process –Optional vrf context FW_OUTSIDE #In this configuration, Outside traffic heading to the firewall will use the FW_OUTSIDE VRF. After entering and exiting the firewall the traffic will use the default VRF. Traffic is directed to individual firewalls via PBR, thus routes are not needed.

5. Configure (physical/logical) switch transit interfaces that connect to firewall Inside and Outside interfaces interface Vlan100 description OUTSIDE_FW_VLAN vrf member FW_OUTSIDE no ip redirects ip address /24 hsrp 3 ip interface Vlan101 description INSIDE_FW_VLAN ip address /24 hsrp 1 ip interface Ethernet4/25 description To_ITD-ASA-1_PortChannel switchport mode trunk switchport trunk allowed vlan channel-group 11 mode active interface Ethernet4/26 description To_ITD-ASA-2_PortChannel channel-group 12 mode active Replicate for every connecting ASA interface Port-Channel11 description VPC_TO_ASA1 switchport mode trunk switchport trunk allowed vlan vpc 11 interface Port-Channel12 vpc 12 interface Port-Channel13 description VPC_TO_ASA3 vpc 13 interface Port-Channel14 description VPC_TO_ASA4 vpc 14 Replicate for every connecting ASA

6. Configure ITD Ingress interfaces which connect to downstream network infrastructure. interface Vlan1100 description EXTERNAL_to_FW-OUTSIDE no shutdown vrf member FW_OUTSIDE no ip redirects ip address /24 hsrp 100 ip interface Vlan1101 description INTERNAL_to_FW-INSIDE ip address /24 hsrp 1 ip interface port-channel41 description BUNDLE_FOR_AGGREGATE_TRAFFIC switchport switchport mode trunk switchport trunk allowed vlan vpc 41 interface Ethernet10/1-8 channel-group 41

7. Define ITD Device Groups and Health Probe parameters itd device-group FW_INSIDE #Config Firewall Inside interfaces as nodes node ip node ip node ip node ip probe icmp frequency 5 timeout 5 retry-count 1 itd device-group FW_OUTSIDE #Config Firewall Outside interfaces as nodes node ip node ip node ip node ip Probe Default Values switch(config-device-group)# probe icmp frequency 10 retry-down-count 1 retry-up-count 1 timeout 5

8. Configure ITD service and mandatory parameters itd INSIDE device-group FW_INSIDE #binds inside firewall interfaces to process ingress interface Vlan1101 #applies ITD route-map to Vlan1101 interface failaction node reassign #dictates to use the next available Active FW if a FW goes offline load-balance method src ip #load balances traffic applicable in buckets to firewalls based on source-IP address (default). no shut itd OUTSIDE vrf FW_OUTSIDE #applies this ITD process to the defined vrf named ‘FW_OUTSIDE’ device-group FW_OUTSIDE ingress interface Vlan1100 load-balance method dst ip buckets 16 #load balances traffic applicable in buckets to firewalls based on destination. Default is src-ip (itd INSIDE)

9. Configure optional ITD features N7K-1(config)# itd INSIDE N7K-1(config-itd)# ? access-list ITD access-list name ##Traffic to include in LB Profile device-group ITD device group exclude ACL to exclude from redirection ##Traffic to exclude from LB Profile failaction ITD failaction ingress ITD ingress interface load-balance ITD Loadbalance ##Configures bucket allocation, mask position, or Src/Dst LB Method nat Network Address Translation ##Enables NAT Based ITD instead of PBR based (default) no Negate a command or set its defaults peer Peer cli for sandwich mode failure notification ##Enables awareness of ITD process state in another VDC (used for 2-Arm/Sandwich ITD configurations) shutdown virtual ITD virtual ip configuration ##Global and Device-group specific VIP configuration vrf ITD service vrf

Configuration Steps – ASA Firewall
ASA Basic Configuration: There is nothing ITD specific about configuring the ASA for ITD. The following interface configuration is used with this topology. interface Port-channel11 nameif aggregate security-level 100 no ip address ! interface Port-channel11.100 description OUTSIDE vlan 100 nameif outside ip address interface Port-channel11.101 description INSIDE vlan 101 nameif inside ip address same-security-traffic permit inter-interface interface TenGigabitEthernet0/6 description CONNECTED_TO_SWITCH-A-VPC channel-group 11 mode active no nameif no security-level interface TenGigabitEthernet0/7 description CONNECTED_TO_SWITCH-B-VPC Interface security levels and traffic filtering parameters are dependent on customer security policies. For the purposes of testing security level 100 is used, and traffic is allowed to traverse between interfaces of the same security level.

Single VDC (non-FWoS) Topology
Physical separation of traffic using separate ASA interfaces for Inside and Outside networks.

ITD ‘Single VDC’ Topology
NXOS GBR 7.2 L3 Over VPC Logical View Firewall Interfaces Outside Port-Channel 21 VLAN 100 VRF Outside – 114/24 Inside Port-Channel 11 VLAN 101 – 114/24 Outside Inside ASA1 ASA2 ASA3 ASA4 .111 .112 .113 .114 NX Transit Interfaces SVI VLAN 100 – VRF FW_OUTSIDE SVI VLAN 101 – 2 Separate VPC trunks connect to each firewall SVI VLAN 100 – VRF FW_OUTSIDE Vl101 – NX Transit Interfaces Sw1 DC1-N7K-7 VPC Peer Link Sw2 DC1-N7K-8 SVI VLAN 1100 – (HSRP) VRF FW_OUTSIDE SVI VLAN 1101 – (HSRP) NX ITD Ingress Interfaces ITD ITD SVI VLAN 1100 – (HSRP) VRF FW_OUTSIDE SVI VLAN 1101 – (HSRP) NX ITD Ingress Interfaces

NXOS – 7.1 Firewall Interfaces Outside TenGigabitEthernet0/6 VLAN 100 VRF Outside – 114/24 Inside TenGigabitEthernet0/7 VLAN 101 – 114/24 Non-VPC port-channels can also be used. Logical View Outside Inside ASA1 ASA2 ASA3 ASA4 .111 .112 .113 .114 SVI VLAN 100 – VRF FW_OUTSIDE SVI VLAN 101 – NX Transit Interfaces 2 Separate VPC trunks connect to each firewall NX Transit Interfaces SVI VLAN 100 – VRF FW_OUTSIDE Vl101 – Sw1 DC1-N7K-7 VPC Peer Link Sw2 DC1-N7K-8 NX ITD Ingress Interfaces SVI VLAN 1100 – (HSRP) VRF FW_OUTSIDE SVI VLAN 1101 – (HSRP) ITD ITD NX ITD Ingress Interfaces SVI VLAN 1100 – (HSRP) VRF FW_OUTSIDE SVI VLAN 1101 – (HSRP)

Logical View VLAN 1100 ITD VLAN 100 Single VDC VLAN + VRF Separation VRF Red – Outside VRF Blue - Inside VLAN 101 ITD VLAN 1101

Enable Features Enable L2 Vlans to be used in the topology Configure VPC between local and peer switch –Optional - Enable L3 Over VPC feature (NXOS 7.2+ only) Create VRF(s) needed for ITD process Configure (physical/logical) transit switch interfaces connecting to firewalls Inside and Outside interfaces Configure ITD Ingress interfaces used to connect to downstream network infrastructure Define ITD Device Groups and Health Probe parameters Configure ITD services and mandatory parameters Configure optional ITD process features Configuration steps are shown using NXOS 7.2+ topology

Enable Features feature pbr feature interface-vlan feature hsrp #optional feature lacp #optional feature vpc #optional feature sla sender feature sla responder feature itd 2. Enable L2 Vlans used in topology vlan 1, ,

3. Configure VPC between local and peer switch. Enable L3 Over VPC feature (NXOS 7.2+ only) –Optional vrf context vpc-keepalive vpc domain 1 peer-keepalive destination source vrf vpc-keepalive peer-gateway layer3 peer-router ipv6 nd synchronize ip arp synchronize interface port-channel1 description - VPC PEER LINK switchport switchport mode trunk spanning-tree port type network vpc peer-link interface Ethernet1/1 description - VPC KEEP-ALIVE LINK vrf member vpc-keepalive ip address /24 no shutdown interface Ethernet1/2-3 channel-group 1 mode active

4. Create VRF(s) needed for ITD process vrf context FW_OUTSIDE #In this configuration, Outside traffic heading to the firewall will use the FW_OUTSIDE VRF. After entering and exiting the firewall the traffic will use the default VRF. #The VRF is needed because L3 interfaces are used to connect to both inside and outside firewall interfaces. VRFs are put in place to prevent traffic from being (inter-vlan) routed “around” the firewall in certain cases. #Traffic is directed to individual firewalls via PBR, thus routes are not needed.

5. Configure (physical/logical) interfaces connecting to firewall Inside and Outside networks interface Ethernet4/1 description To_ITD-ASA-1_PChannelOutside switchport mode access switchport access vlan 100 channel-group 21 mode active interface Ethernet4/2 description To_ITD-ASA-2_PChannelOutside channel group 22 mode active Replicate for every connecting ASA interface Port-channel 11 description To_ITD-ASA-1_PChannelInside switchport access vlan 101 vpc 11 interface Port-channel 21 vpc 21 interface Vlan100 description OUTSIDE_FW_VLAN no shutdown vrf member FW_OUTSIDE no ip redirects ip address /24 hsrp 3 ip interface Vlan101 description INSIDE_FW_VLAN ip address /24 hsrp 1 ip interface Ethernet4/25 description To_ITD-ASA-1_PChannelInside switchport mode access switchport access vlan 101 channel-group 11 mode active interface Ethernet4/26 description To_ITD-ASA-2_PChannelInside channel-group 12 mode active

6. Configure ITD Ingress interfaces used to connect to downstream network infrastructure interface Vlan1100 description EXTERNAL_to_FW-OUTSIDE vrf member FW_OUTSIDE no ip redirects ip address /24 hsrp 100 ip interface Vlan1101 description INTERNAL_to_FW-INSIDE ip address /24 hsrp 1 ip interface port-channel41 description BUNDLE_FOR_AGGREGATE_TRAFFIC switchport switchport mode trunk switchport trunk allowed vlan vpc 41 interface Ethernet10/1-8 channel-group 41

7. Define ITD Device Groups and Health Probe parameters itd device-group FW_INSIDE #Config Firewall Inside interfaces as nodes node ip node ip node ip node ip probe icmp frequency 5 timeout 5 retry-count 1 itd device-group FW_OUTSIDE #Config Firewall Outside interfaces as nodes node ip node ip node ip node ip Probe Default Values switch(config-device-group)# probe icmp frequency 10 retry-down-count 1 retry-up-count 1 timeout 5

8. Configure Mandatory ITD Service Processes itd INSIDE device-group FW_INSIDE #binds inside firewall interfaces to process ingress interface Vlan1101 #applies ITD route-map to Vlan1101 interface failaction node reassign #dictates to use the next available Active FW if a FW goes offline load-balance method src ip #distributes traffic into 16 buckets #load balances traffic applicable in buckets to firewalls based on source-IP address (default). no shut itd OUTSIDE vrf FW_OUTSIDE #applies this ITD process to the defined vrf named ‘FW_OUTSIDE’ device-group FW_OUTSIDE ingress interface Vlan1100 load-balance method dst ip #load balances traffic applicable in buckets to firewalls based on destination. Default is src-ip (itd INSIDE)

ASA Basic Configuration: There is nothing ITD specific about configuring the ASA for ITD. The following interface configuration is used with this topology. interface Port-channel11 description INSIDE vlan 101 nameif inside security-level 100 ip address ! interface Port-channel21 description OUTSIDE vlan 100 nameif outside ip address same-security-traffic permit inter-interface interface TenGigabitEthernet0/6 description CONNECTED_TO_SWITCH-A-VPC channel-group 11 mode active no nameif no security-level interface TenGigabitEthernet0/7 description CONNECTED_TO_SWITCH-B-VPC interface TenGigabitEthernet0/8 channel-group 21 mode active interface TenGigabitEthernet0/9 Interface security levels and traffic filtering parameters are dependent on customer security policies. For the purposes of testing security level 100 is used, and traffic is allowed to traverse between interfaces of the same security level.

ITD + ASA with dual VDC Sandwich Topology
Physical separation of traffic using separate ASA interfaces for Inside and Outside networks.

Dual VDC Sandwich Topology
NXOS GBR 7.2 L3 Over VPC NX ITD Ingress Interfaces SVI VLAN 1100 – VRF FW_OUTSIDE ITD VDC 2 Outside Inside Firewall Interfaces Outside Port-Channel 21 VLAN 100 VRF Outside – 114/24 Inside Port-Channel 11 VLAN 101 – 114/24 SVI VLAN 100 – VRF FW_OUTSIDE SVI VLAN 101 – NX Transit Interfaces ASA1 ASA2 ASA3 ASA4 .111 .112 .113 .114 VDC 1 SVI VLAN 1101 – NX ITD Ingress Interface ITD

All configuration steps are done in each VDC (or individual switch on each side of the “sandwich” configuration. Nexus 7000 Create VDC and allocate ports (not displayed) Enable Features Enable L2 Vlans to be used in the topology Configure (physical/logical) interfaces connecting to firewalls Inside and Outside networks Configure transit interfaces used for getting internal traffic flow to firewall Define ITD Device Groups and Health Probe parameters Configure ITD services and mandatory parameters Configure optional ITD parameters

Create VDC and allocate ports (not shown) Enable Features feature pbr feature interface-vlan feature sla sender feature sla responder feature itd 3. Enable L2 Vlans used in topology #VDC 1 - Inside Vlan 101,1101 #VDC 2 – Outside Vlan 100,1001

4. Configure (physical/logical) interfaces connecting to firewall Inside and Outside networks #VDC1 interface Vlan101 description INSIDE_FW_VLAN no ip redirects ip address /24 no shutdown interface Ethernet4/25 description To_ITD-ASA-1_Intf_Te0/6 switchport mode access switchport access vlan 101 #VDC2 interface Vlan100 description OUTSIDE_FW_VLAN ip address /24 interface Ethernet4/1 description To_ITD-ASA-1_Intf_Te0/8 switchport access vlan 100 interface Ethernet4/26 description To_ITD-ASA-2_Intf_Te0/6 switchport mode access switchport access vlan 101 no shutdown interface Ethernet4/27 description To_ITD-ASA-3_Intf_Te0/6 switchport mode access switchport access vlan 101 no shutdown interface Ethernet4/28 description To_ITD-ASA-4_Intf_Te0/6 switchport mode access switchport access vlan 101 no shutdown interface Ethernet4/2 description To_ITD-ASA-2_Intf_Te0/8 switchport mode access switchport access vlan 100 no shutdown interface Ethernet4/3 description To_ITD-ASA-3_Intf_Te0/8 switchport mode access switchport access vlan 100 no shutdown interface Ethernet4/4 description To_ITD-ASA-4_Intf_Te0/8 switchport mode access switchport access vlan 100 no shutdown

5. Configure transit interfaces used for getting internal traffic flow to firewall #VDC1 interface Vlan1101 description INTERNAL_to_FW-INSIDE no ip redirects ip address /24 no shutdown interface Ethernet10/1-8 description “connection to Breaking Point” switchport switchport mode access switchport access vlan 1101 no shutdown #VDC2 interface Vlan1001 description EXTERNAL_to_FW-OUTSIDE no ip redirects ip address /24 no shutdown interface Ethernet10/13-20 description “connection to Breaking Point” switchport switchport mode access switchport access vlan 1001 no shutdown

6. Define ITD Device Groups and Health Probe parameters #VDC1 itd device-group FW_INSIDE #Config Firewall Inside interfaces as nodes node ip node ip node ip node ip probe icmp frequency 5 timeout 5 retry-count 1 #VDC2 itd device-group FW_OUTSIDE #Config Firewall Outside interfaces as nodes node ip node ip node ip node ip Probe Default Values switch(config-device-group)# probe icmp frequency 10 retry-down-count 1 retry-up-count 1 timeout 5

7. Configure Mandatory ITD Service Processes itd INSIDE device-group FW_INSIDE #binds inside firewall interfaces to process ingress interface Vlan1101 #applies ITD route-map to Vlan1101 interface failaction node reassign #dictates to use the next available Active FW if a FW goes offline load-balance method src ip #distributes traffic into 16 buckets #load balances traffic applicable in buckets to firewalls based on source-IP address (default). peer vdc VDC2 #enables awareness of ITD process in peer VDC for sandwich mode. If a device is connected to both VDCs (2 arm) and all links of the arm connected to the peer fails, then locally connected links will also be disabled to prevent blackholing of traffic. no shut itd OUTSIDE device-group FW_OUTSIDE ingress interface Vlan1100 load-balance method dst ip #load balances traffic applicable in buckets to firewalls based on destination. Default is src-ip (itd INSIDE) peer vdc VDC1

8. Configure optional ITD features N7K-1(config)# itd INSIDE N7K-1(config-itd)# ? access-list ITD access-list name ##Traffic to include in LB Profile device-group ITD device group exclude ACL to exclude from redirection ##Traffic to exclude from LB Profile failaction ITD failaction ingress ITD ingress interface load-balance ITD Loadbalance ##Configures bucket allocation, mask position, or Src/Dst LB Method nat Network Address Translation ##Enables NAT Based ITD instead of PBR based (default) no Negate a command or set its defaults peer Peer cli for sandwich mode failure notification ##Enables awareness of ITD process state in another VDC (used for 2-Arm/Sandwich ITD configurations) shutdown virtual ITD virtual ip configuration ##Global and Device-group specific VIP configuration vrf ITD service vrf #applies this ITD process to a defined vrf

ASA Basic Configuration: There is nothing ITD specific about configuring the ASA for ITD. The following interface configuration is used with this topology. ! interface TenGigabitEthernet0/6 description INSIDE nameif inside security-level 100 ip address interface TenGigabitEthernet0/8 description OUTSIDE nameif outside ip address INSIDE and OUTSIDE interface configuration on ASA Repeat on each ASA-1, ASA-2, ASA-3, ASA-4 Configure different IP address for INSIDE and OUTSIDE interface on all Firewalls. Note: If security levels are the same for inside and outside interfaces, ‘same-security-traffic permit’ command can be configured. If varying security levels are used, ensure appropriate ACLs are configured. Interface security levels and traffic filtering parameters are dependent on customer security policies. For the purposes of testing security level 100 is used, and traffic is allowed to traverse between interfaces of the same security level.

ITD +ASA with dual VDC + vPC
Sandwich Topology Physical separation of traffic using separate ASA interfaces for Inside and Outside networks.

VPC + Dual VDC Sandwich Topology
NXOS GBR 7.2 L3 Over VPC Firewall Interfaces Outside Port-Channel 21 VLAN 100 VRF Outside – 114/24 Inside Port-Channel 11 VLAN 101 – 114/24 SVI VLAN 1100 – (HSRP) VRF FW_OUTSIDE NX ITD Ingress Interfaces ITD VDC 2 VDC 2 ITD Sw1 DC1-N7K-7 Sw2 DC1-N7K-8 VPC Peer Link NX Transit Interfaces SVI VLAN 100 – VRF FW_OUTSIDE SVI VLAN 101 – SVI VLAN 100 – VRF FW_OUTSIDE Vl101 – NX Transit Interfaces ASA1 ASA2 ASA3 ASA4 .111 .112 .113 .114 Sw1 DC1-N7K-7 VPC Peer Link Sw2 DC1-N7K-8 NX ITD Ingress Interface SVI VLAN 1101 – (HSRP) ITD ITD SVI VLAN 1101 – (HSRP) NX ITD Ingress Interface VDC 1 VDC 1

VPC + Dual VDC Sandwich Topology
NXOS – 7.1 Firewall Interfaces Outside Port-Channel 21 VLAN 100 VRF Outside – 114/24 Inside Port-Channel 11 VLAN 101 – 114/24 SVI VLAN 1100 – (HSRP) VRF FW_OUTSIDE NX ITD Ingress Interfaces ITD VDC 2 VDC 2 ITD Sw1 DC1-N7K-7 Sw2 DC1-N7K-8 VPC Peer Link NX Transit Interfaces SVI VLAN 100 – VRF FW_OUTSIDE SVI VLAN 101 – NX Transit Interfaces SVI VLAN 100 – VRF FW_OUTSIDE Vl101 – ASA1 ASA2 ASA3 ASA4 .111 .112 .113 .114 Sw1 DC1-N7K-7 VPC Peer Link Sw2 DC1-N7K-8 SVI VLAN 1101 – (HSRP) NX ITD Ingress Interface ITD ITD SVI VLAN 1101 – (HSRP) NX ITD Ingress Interface VDC 1 VDC 1

All configuration steps are done in each VDC (or individual switch on each side of the “sandwich” configuration. Configuration steps are shown using NXOS 7.2+ topology. Nexus 7000 Create VDC and allocate ports (not displayed) Enable Features Enable L2 Vlans to be used in the topology Configure VPC between local and peer switch –Optional - Enable L3 Over VPC feature (NXOS 7.2+ only) Create VRF(s) needed for ITD process –Optional Configure (physical/logical) transit switch interfaces connecting to firewalls Inside and Outside interfaces Configure ITD Ingress interfaces that connect to downstream network infrastructure Define ITD Device Groups and Health Probe parameters Configure ITD service and mandatory parameters Enabled optional ITD features

Create VDC and allocate ports (not shown) Enable Features feature pbr feature interface-vlan feature hsrp #optional feature lacp #optional feature vpc feature sla sender feature sla responder feature itd 3. Enable L2 Vlans used in topology #VDC 1 - Inside Vlan 101,1101 #VDC 2 – Outside Vlan 100,1100

Configure VPC between local and peer switch. Enable L3 Over VPC feature (NXOS 7.2+ only) –Optional #VDC1 – Inside vrf context vpc-keepalive vpc domain 1 peer-keepalive destination source vrf vpc-keepalive peer-gateway layer3 peer-router ipv6 nd synchronize ip arp synchronize interface port-channel1 description - VPC PEER LINK switchport switchport mode trunk spanning-tree port type network vpc peer-link interface Ethernet1/1 description - VPC KEEP-ALIVE LINK vrf member vpc-keepalive ip address /24 interface Ethernet1/2-3 channel-group 1 mode active

4. Cont. –Optional #VDC2 – Outside vrf context vpc-keepalive vpc domain 1 peer-keepalive destination source vrf vpc-keepalive peer-gateway layer3 peer-router ipv6 nd synchronize ip arp synchronize interface port-channel1 description - VPC PEER LINK switchport switchport mode trunk spanning-tree port type network vpc peer-link interface Ethernet1/1 description - VPC KEEP-ALIVE LINK vrf member vpc-keepalive ip address /24 no shutdown interface Ethernet1/2-3 channel-group 1 mode active

5. Create VRF(s) needed for ITD process –Optional Since VDCs segment traffic, additional VRFs are not needed

6. Configure (physical/logical) interfaces connecting to firewall Inside and Outside networks interface Port-channel 11 description To_ITD-ASA-1_PChannelInside switchport mode access switchport access vlan 101 vpc 11 interface Port-channel 12 description To_ITD-ASA-2_PChannelInside vpc 12 interface Port-channel 13 description To_ITD-ASA-3_PChannelInside vpc 13 interface Port-channel 14 description To_ITD-ASA-4_PChannelInside vpc 14 Replicate for every connecting ASA #VDC1 interface Vlan101 description INSIDE_FW_VLAN no shutdown no ip redirects ip address /24 hsrp 1 ip interface Ethernet4/25 description To_ITD-ASA-1_Po11-VPC switchport mode access switchport access vlan 101 channel-group 11 mode active interface Ethernet4/26 description To_ITD-ASA-2_Po12-VPC channel-group 12 mode active interface Ethernet4/27 description To_ITD-ASA-3_Po13-VPC channel-group 13 mode active Replicate for every connecting ASA

6. Cont. (VDC #2 – Outside) #VDC2 interface Vlan100 description OUTSIDE_FW_VLAN no shutdown no ip redirects ip address /24 hsrp 3 ip interface Ethernet4/1 description To_ITD-ASA-1_Po21-VPC switchport mode access switchport access vlan 100 interface Ethernet4/2 description To_ITD-ASA-2_Po22-VPC interface Ethernet4/3 description To_ITD-ASA-3_Po23-VPC Replicate for every connecting ASA interface Port-channel 21 description To_ITD-ASA-1_PChannelOutside switchport mode access switchport access vlan 100 vpc 21 interface Port-channel 22 description To_ITD-ASA-2_PChannelOutside vpc 22 interface Port-channel 23 description To_ITD-ASA-3_PChannelOutside vpc 23 interface Port-channel 24 description To_ITD-ASA-4_PChannelOutside vpc 24 Replicate for every connecting ASA

7. Configure transit interfaces used for getting internal traffic flow to firewall #VDC1 interface Vlan1101 description INTERNAL_to_FW-INSIDE no shutdown no ip redirects ip address /24 hsrp 1 ip interface port-channel41 description BUNDLE_FOR_AGGREGATE_TRAFFIC switchport switchport mode access switchport access vlan 1101 vpc 41 interface Ethernet10/1-8 channel-group 41 no shutdown #VDC2 interface Vlan1001 description EXTERNAL_to_FW-OUTSIDE no shutdown no ip redirects ip address /24 hsrp 100 ip interface port-channel42 description BUNDLE_FOR_AGGREGATE_TRAFFIC switchport switchport mode access switchport access vlan 1001 vpc 42 interface Ethernet10/13-20 channel-group 42 no shutdown

9. Configure Mandatory ITD Service Processes #VDC1 itd INSIDE device-group FW_INSIDE #binds inside firewall interfaces to process ingress interface Vlan1101 #applies ITD route-map to Vlan1101 interface failaction node reassign #dictates to use the next available Active FW if a FW goes offline load-balance method src ip #distributes traffic into 16 buckets #load balances traffic applicable in buckets to firewalls based on source-IP address (default). peer vdc VDC2 #enables awareness of ITD process in peer VDC for sandwich mode. If a device is connected to both VDCs (2 arm) and all links of the arm connected to the peer fails, then locally connected links will also be disabled to prevent blackholing of traffic. no shut #VDC2 itd OUTSIDE device-group FW_OUTSIDE ingress interface Vlan1100 load-balance method dst ip #load balances traffic applicable in buckets to firewalls based on destination. Default is src-ip (itd INSIDE) peer vdc VDC1

ASA Basic Configuration: There is nothing ITD specific about configuring the ASA for ITD. The following interface configuration is used with this topology. ! interface TenGigabitEthernet0/6 description INSIDE nameif inside security-level 100 ip address interface TenGigabitEthernet0/8 description OUTSIDE nameif outside ip address same-security-traffic permit inter-interface INSIDE and OUTSIDE interface configuration on ASA Repeat on each ASA-1, ASA-2, ASA-3, ASA-4 Configure different IP address for INSIDE and OUTSIDE interface on all Firewalls. Note: If security levels are the same for inside and outside interfaces, ‘same-security-traffic permit’ command can be configured. If varying security levels are used, ensure appropriate ACLs are configured. Interface security levels and traffic filtering parameters are dependent on customer security policies. For the purposes of testing security level 100 is used, and traffic is allowed to traverse between interfaces of the same security level.

ITD +ASA Cluster with dual VDC + vPC
Sandwich Topology Physical separation of traffic using separate ASA interfaces for Inside and Outside networks.

L3 Cluster + VPC + Dual VDC Sandwich
NXOS GBR 7.2 L3 Over VPC Firewall Interfaces Outside Port-Channel 21 VLAN 100 VRF Outside – 114/24 Inside Port-Channel 11 VLAN 101 – 114/24 SVI VLAN 1100 – (HSRP) VRF FW_OUTSIDE NX ITD Ingress Interfaces Individual Mode ASA Cluster L3 Routed Firewalls Each cluster member has its own unique IP allocated from a cluster pool, maintains its own ARP and Routing Tables Each firewall has its own port-channel to connect the VPC peers. ITD VDC 2 VDC 2 ITD Sw1 DC1-N7K-7 Sw2 DC1-N7K-8 VPC Peer Link NX Transit Interfaces SVI VLAN 100 – VRF FW_OUTSIDE SVI VLAN 101 – SVI VLAN 100 – VRF FW_OUTSIDE Vl101 – NX Transit Interfaces ASA1 ASA2 ASA3 ASA4 .111 .112 .113 .114 CCL Sw1 DC1-N7K-7 VPC Peer Link Sw2 DC1-N7K-8 NX ITD Ingress Interface SVI VLAN 1101 – (HSRP) ITD ITD SVI VLAN 1101 – (HSRP) NX ITD Ingress Interface VDC 1 VDC 1

Individual Mode ASA Cluster
L3 Cluster + VPC + Dual VDC Sandwich NXOS – 7.1 Firewall Interfaces Outside Port-Channel 21 VLAN 100 VRF Outside – 114/24 Inside Port-Channel 11 VLAN 101 – 114/24 SVI VLAN 1100 – (HSRP) VRF FW_OUTSIDE NX ITD Ingress Interfaces Individual Mode ASA Cluster L3 Routed Firewalls Each cluster member has its own unique IP allocated from a cluster pool, maintains its own ARP and Routing Tables Each firewall has its own port-channel to connect to 1 of the VPC peers. A single non-VPC firewall interface (e.g., te0/6) can also be used. ITD VDC 2 VDC 2 ITD Sw1 DC1-N7K-7 Sw2 DC1-N7K-8 VPC Peer Link NX Transit Interfaces SVI VLAN 100 – VRF FW_OUTSIDE SVI VLAN 101 – NX Transit Interfaces SVI VLAN 100 – VRF FW_OUTSIDE Vl101 – ASA1 ASA2 ASA3 ASA4 .111 .112 .113 .114 CCL Sw1 DC1-N7K-7 VPC Peer Link Sw2 DC1-N7K-8 NX ITD Ingress Interface SVI VLAN 1101 – (HSRP) ITD ITD SVI VLAN 1101 – (HSRP) NX ITD Ingress Interface VDC 1 VDC 1

All configuration steps are done in each VDC (or individual switch on each side of the “sandwich” configuration. Configuration steps are shown using NXOS 7.2+ topology. Nexus 7000 Create VDC and allocate ports (not displayed) Enable Features Enable L2 Vlans to be used in the topology Configure VPC between local and peer switch - Enable L3 Over VPC feature (NXOS 7.2+ only) Create VRF(s) needed for ITD process –Optional Configure (physical/logical) transit switch interfaces connecting to firewalls Inside and Outside interfaces Configure ITD Ingress interfaces that connect to downstream network infrastructure Define ITD Device Groups and Health Probe parameters Configure ITD service and mandatory parameters Enabled optional ITD features

Create VDC and allocate ports (not shown) Enable Features feature pbr feature interface-vlan feature hsrp #optional feature lacp #optional feature vpc #optional feature sla sender feature sla responder feature itd 3. Enable L2 Vlans used in topology #VDC 1 - Inside Vlan 101,1101 #VDC 2 – Outside Vlan 100,1100

Configure VPC between local and peer switch. Enable L3 Over VPC feature (NXOS 7.2+ only) #VDC1 – Inside vrf context vpc-keepalive vpc domain 1 peer-keepalive destination source vrf vpc-keepalive peer-gateway layer3 peer-router ipv6 nd synchronize ip arp synchronize interface port-channel1 description - VPC PEER LINK switchport switchport mode trunk spanning-tree port type network vpc peer-link interface Ethernet1/1 description - VPC KEEP-ALIVE LINK vrf member vpc-keepalive ip address /24 interface Ethernet1/2-3 channel-group 1 mode active

4. Cont. #VDC2 – Outside vrf context vpc-keepalive vpc domain 1 peer-keepalive destination source vrf vpc-keepalive peer-gateway layer3 peer-router ipv6 nd synchronize ip arp synchronize interface port-channel1 description - VPC PEER LINK switchport switchport mode trunk spanning-tree port type network vpc peer-link interface Ethernet1/1 description - VPC KEEP-ALIVE LINK vrf member vpc-keepalive ip address /24 no shutdown interface Ethernet1/2-3 channel-group 1 mode active

5. Create VRF(s) needed for ITD process –Optional Since VDCs segment traffic, additional VRFs are not needed

6. Configure (physical/logical) interfaces connecting to firewall Inside and Outside networks interface Port-channel 11 description To_ITD-ASA-1_PChannelInside switchport mode access switchport access vlan 101 vpc 11 interface Port-channel 12 description To_ITD-ASA-2_PChannelInside vpc 12 interface Port-channel 13 description To_ITD-ASA-3_PChannelInside vpc 13 interface Port-channel 14 description To_ITD-ASA-4_PChannelInside vpc 14 Replicate for every connecting ASA #VDC1 interface Vlan101 description INSIDE_FW_VLAN no shutdown no ip redirects ip address /24 hsrp 1 ip interface Ethernet4/25 description To_ITD-ASA-1_Po11-VPC switchport mode access switchport access vlan 101 channel-group 11 mode active interface Ethernet4/26 description To_ITD-ASA-2_Po12-VPC channel-group 12 mode active interface Ethernet4/27 description To_ITD-ASA-3_Po13-VPC channel-group 13 mode active Replicate for every connecting ASA

6. Cont. (VDC #2 – Outside) #VDC2 interface Vlan100 description OUTSIDE_FW_VLAN no shutdown no ip redirects ip address /24 hsrp 3 ip interface Ethernet4/1 description To_ITD-ASA-1_Po21-VPC switchport mode access switchport access vlan 100 interface Ethernet4/2 description To_ITD-ASA-2_Po22-VPC interface Ethernet4/3 description To_ITD-ASA-3_Po23-VPC Replicate for every connecting ASA interface Port-channel 21 description To_ITD-ASA-1_PChannelOutside switchport mode access switchport access vlan 100 vpc 21 interface Port-channel 22 description To_ITD-ASA-2_PChannelOutside vpc 22 interface Port-channel 23 description To_ITD-ASA-3_PChannelOutside vpc 23 interface Port-channel 24 description To_ITD-ASA-4_PChannelOutside vpc 24 Replicate for every connecting ASA

7. Configure ITD Ingress interfaces that connect to downstream network infrastructure #VDC1 interface Vlan1101 description INTERNAL_to_FW-INSIDE no shutdown no ip redirects ip address /24 hsrp 1 ip interface port-channel41 description BUNDLE_FOR_AGGREGATE_TRAFFIC switchport switchport mode access switchport access vlan 1101 vpc 41 interface Ethernet10/1-8 channel-group 41 no shutdown #VDC2 interface Vlan1001 description EXTERNAL_to_FW-OUTSIDE no shutdown no ip redirects ip address /24 hsrp 100 ip interface port-channel42 description BUNDLE_FOR_AGGREGATE_TRAFFIC switchport switchport mode access switchport access vlan 1001 vpc 42 interface Ethernet10/13-20 channel-group 42 no shutdown

9. Configure Mandatory ITD Service Processes #VDC1 itd INSIDE device-group FW_INSIDE #binds inside firewall interfaces to process ingress interface Vlan1101 #applies ITD route-map to Vlan1101 interface failaction node reassign #dictates to use the next available Active FW if a FW goes offline load-balance method src ip #distributes traffic into 16 buckets #load balances traffic applicable in buckets to firewalls based on source-IP address (default). peer vdc VDC2 #enables awareness of ITD process in peer VDC for sandwich mode. If a device is connected to both VDCs (2 arm) and all links of the arm connected to the peer fails, then locally connected links will also be disabled to prevent blackholing of traffic. no shut #VDC2 itd OUTSIDE device-group FW_OUTSIDE ingress interface Vlan1100 load-balance method dst ip #load balances traffic applicable in buckets to firewalls based on destination. Default is src-ip (itd INSIDE) peer vdc VDC1

10. Configure optional ITD features N7K-1(config)# itd INSIDE N7K-1(config-itd)# ? access-list ITD access-list name ##Traffic to include in LB Profile device-group ITD device group exclude ACL to exclude from redirection ##Traffic to exclude from LB Profile failaction ITD failaction ingress ITD ingress interface load-balance ITD Loadbalance ##Configures bucket allocation, mask position, or Src/Dst LB Method nat Network Address Translation ##Enables NAT Based ITD instead of PBR based (default) no Negate a command or set its defaults peer Peer cli for sandwich mode failure notification ##Enables awareness of ITD process state in another VDC (used for 2-Arm/Sandwich ITD configurations) shutdown virtual ITD virtual ip configuration ##Global and Device-group specific VIP configuration vrf ITD service vrf #applies this ITD process to the defined vrf

ASA Basic Configuration: There is nothing ITD specific about configuring the ASA L3 Cluster for ITD. The following interface configuration is used with this topology. Follow ASA Configuration Guide for full configuration instructions. interface TenGigabitEthernet0/6 channel-group 11 mode active no nameif no security-level no ip address ! interface TenGigabitEthernet0/7 interface TenGigabitEthernet0/8 channel-group 21 mode active interface TenGigabitEthernet0/9 description OUTSIDE interface TenGigabitEthernet1/0 channel-group 31 mode on interface TenGigabitEthernet1/1 Configure Master, Sync to Slaves via CCL link cluster group ASA-CLUSTER-L3 local-unit ASA1 cluster-interface Port-channel31 ip priority 1 health-check holdtime 1.5 clacp system-mac auto system-priority 1 enable mac-address pool MAC-INSIDE aaaa aaaa mac-address pool MAC-OUTSIDE aaaa aaaa ip local pool IP-OUTSIDE ip local pool IP-INSIDE interface Port-channel11 description INSIDE lacp max-bundle 8 mac-address cluster-pool MAC-INSIDE nameif inside security-level 100 ip address cluster-pool IP-INSIDE ! interface Port-channel21 description OUTSIDE mac-address cluster-pool MAC-OUTSIDE nameif outside ip address cluster-pool IP-OUTSIDE interface Port-channel31 description Clustering Interface Interface security levels and traffic filtering parameters are dependent on customer security policies. For the purposes of testing security level 100 is used, and traffic is allowed to traverse between interfaces of the same security level.

ITD + ASA Clustering Benefits
Flow Owners can be predetermined during steady state operation Flow Ownership can be predetermined during fail events* Ease of connection tracking during troubleshooting efforts

Difficult to trace connections across cluster without debugging
ITD Functionality: ASA Clustering Flow Owner Predictability without ITD x.x.x Flow ownership cannot be pre-determined easily by network engineers. Traffic from any source can go to any ASA. Difficult to trace connections across cluster without debugging

ITD Functionality: ASA Clustering Flow Owner Predictability with ITD
BUCKET permit ip VIP ITD NODE 1 – Owns all flows for Bucket 1 BUCKET permit ip VIP ITD NODE 2 – Owns all flows for Bucket 2 BUCKET permit ip VIP ITD NODE 3 – Owns all flows for Bucket 3 BUCKET permit ip VIP ITD NODE 4 – Owns all flows for Bucket 4 Instead of flow ownership being determined by ECMP or port-channel hashing algorithm, ITD bucket allocation determines flow owner

ITD Auto Configuration

Automatic Configuration
Nexus 7000 Automatic Configuration Once the ITD Process is enabled (per ‘no shut’ CLI), the following elements are automatically added to the configuration: ACLs that define bucket assignments are configured Route-Maps are configured that associate the ACL bucket assignments to individual firewalls as next-hops (ITD nodes) Route-Maps are applied to ingress interfaces of the traffic flow If ITD Probes are configured, IP SLA is configured in the background to send probes to each ITD defined in the ITD device group The following automatic configuration in the slides that follow was applied using the ‘firewall on a stick’ deployment configuration with the option of allocating 16 buckets (across 4 firewalls).

Auto Configuration – Nexus 7000
ACLs that define bucket assignments are configured #INSIDE ip access-list INSIDE_itd_bucket_1 10 permit ip any ip access-list INSIDE_itd_bucket_2 10 permit ip any ip access-list INSIDE_itd_bucket_11 10 permit ip any ip access-list INSIDE_itd_bucket_12 10 permit ip any ip access-list INSIDE_itd_bucket_13 10 permit ip any ip access-list INSIDE_itd_bucket_14 10 permit ip any ip access-list INSIDE_itd_bucket_15 10 permit ip any ip access-list INSIDE_itd_bucket_16 10 permit ip any ip access-list INSIDE_itd_bucket_3 10 permit ip any ip access-list INSIDE_itd_bucket_4 10 permit ip any ip access-list INSIDE_itd_bucket_5 10 permit ip any ip access-list INSIDE_itd_bucket_6 10 permit ip any ip access-list INSIDE_itd_bucket_7 10 permit ip any ip access-list INSIDE_itd_bucket_8 10 permit ip any ip access-list INSIDE_itd_bucket_9 10 permit ip any ip access-list INSIDE_itd_bucket_10 10 permit ip any #OUTSIDE p access-list OUTSIDE_itd_bucket_1 10 permit ip any ip access-list OUTSIDE_itd_bucket_2 10 permit ip any ip access-list OUTSIDE_itd_bucket_11 10 permit ip any ip access-list OUTSIDE_itd_bucket_12 10 permit ip any ip access-list OUTSIDE_itd_bucket_13 10 permit ip any ip access-list OUTSIDE_itd_bucket_14 10 permit ip any ip access-list OUTSIDE_itd_bucket_15 10 permit ip any ip access-list OUTSIDE_itd_bucket_16 10 permit ip any ip access-list OUTSIDE_itd_bucket_3 10 permit ip any ip access-list OUTSIDE_itd_bucket_4 10 permit ip any ip access-list OUTSIDE_itd_bucket_5 10 permit ip any ip access-list OUTSIDE_itd_bucket_6 10 permit ip any ip access-list OUTSIDE_itd_bucket_7 10 permit ip any ip access-list OUTSIDE_itd_bucket_8 10 permit ip any ip access-list OUTSIDE_itd_bucket_9 10 permit ip any ip access-list OUTSIDE_itd_bucket_10 10 permit ip any

Route-Maps are configured that associate the ACL bucket assignments to individual firewalls as next-hops (ITD nodes) #INSIDE route-map INSIDE_itd_pool permit 0 match ip address INSIDE_itd_bucket_1 set ip next-hop verify-availability track 11 route-map INSIDE_itd_pool permit 1 match ip address INSIDE_itd_bucket_2 set ip next-hop verify-availability track 13 route-map INSIDE_itd_pool permit 2 match ip address INSIDE_itd_bucket_3 set ip next-hop verify-availability track 15 route-map INSIDE_itd_pool permit 3 match ip address INSIDE_itd_bucket_4 set ip next-hop verify-availability track 17 route-map INSIDE_itd_pool permit 4 match ip address INSIDE_itd_bucket_5 route-map INSIDE_itd_pool permit 5 match ip address INSIDE_itd_bucket_6 route-map INSIDE_itd_pool permit 6 match ip address INSIDE_itd_bucket_7 route-map INSIDE_itd_pool permit 7 match ip address INSIDE_itd_bucket_8 route-map INSIDE_itd_pool permit 8 match ip address INSIDE_itd_bucket_9 route-map INSIDE_itd_pool permit 9 match ip address INSIDE_itd_bucket_10 route-map INSIDE_itd_pool permit 10 match ip address INSIDE_itd_bucket_11 set ip next-hop verify-availability track 15 route-map INSIDE_itd_pool permit 11 match ip address INSIDE_itd_bucket_12 set ip next-hop verify-availability track 17 route-map INSIDE_itd_pool permit 12 match ip address INSIDE_itd_bucket_13 set ip next-hop verify-availability track 11 route-map INSIDE_itd_pool permit 13 match ip address INSIDE_itd_bucket_14 set ip next-hop verify-availability track 13 route-map INSIDE_itd_pool permit 14 match ip address INSIDE_itd_bucket_15 route-map INSIDE_itd_pool permit 15 match ip address INSIDE_itd_bucket_16

Route-Maps are configured that associate the ACL bucket assignments to individual firewalls as next-hops (ITD nodes) #OUTSIDE route-map OUTSIDE_itd_pool permit 0 match ip address OUTSIDE_itd_bucket_1 set ip next-hop verify-availability track 20 route-map OUTSIDE_itd_pool permit 1 match ip address OUTSIDE_itd_bucket_2 set ip next-hop verify-availability track 22 route-map OUTSIDE_itd_pool permit 2 match ip address OUTSIDE_itd_bucket_3 set ip next-hop verify-availability track 24 route-map OUTSIDE_itd_pool permit 3 match ip address OUTSIDE_itd_bucket_4 set ip next-hop verify-availability track 26 route-map OUTSIDE_itd_pool permit 4 match ip address OUTSIDE_itd_bucket_5 route-map OUTSIDE_itd_pool permit 5 match ip address OUTSIDE_itd_bucket_6 route-map OUTSIDE_itd_pool permit 6 match ip address OUTSIDE_itd_bucket_7 route-map OUTSIDE_itd_pool permit 7 match ip address OUTSIDE_itd_bucket_8 route-map OUTSIDE_itd_pool permit 8 match ip address OUTSIDE_itd_bucket_9 route-map OUTSIDE_itd_pool permit 9 match ip address OUTSIDE_itd_bucket_10 route-map OUTSIDE_itd_pool permit 10 match ip address OUTSIDE_itd_bucket_11 set ip next-hop verify-availability track 24 route-map OUTSIDE_itd_pool permit 11 match ip address OUTSIDE_itd_bucket_12 set ip next-hop verify-availability track 26 route-map OUTSIDE_itd_pool permit 12 match ip address OUTSIDE_itd_bucket_13 set ip next-hop verify-availability track 20 route-map OUTSIDE_itd_pool permit 13 match ip address OUTSIDE_itd_bucket_14 set ip next-hop verify-availability track 22 route-map OUTSIDE_itd_pool permit 14 match ip address OUTSIDE_itd_bucket_15 route-map OUTSIDE_itd_pool permit 15 match ip address OUTSIDE_itd_bucket_16

Route-Maps are applied to ingress interfaces of the traffic flow #INSIDE interface Vlan1101 ip policy route-map INSIDE_itd_pool #OUTSIDE interface Vlan1001 ip policy route-map OUTSIDE_itd_pool

If ITD Probes are configured, IP SLA is configured in the background to send probes to each ITD defined in the ITD device group #INSIDE ip sla 10001 icmp-echo frequency 5 ip sla schedule life forever start-time now ip sla 10002 icmp-echo ip sla schedule life forever start-time now ip sla 10003 icmp-echo ip sla schedule life forever start-time now ip sla 10004 icmp-echo ip sla schedule life forever start-time now #OUTSIDE ip sla 10006 icmp-echo ip sla 10007 icmp-echo ip sla 10008 icmp-echo ip sla 10009 icmp-echo track 1 ip sla reachability delay down 1 track 2 ip sla reachability track 3 ip sla reachability track 4 ip sla reachability track 5 interface Vlan1101 line-protocol Track 6 ip sla reachability delay down 5 Track 7 ip sla reachability Track 8 ip sla reachability Track 9 ip sla reachability track 10 interface Vlan1001 line-protocol

To enable statistics gathering, enable ‘route-map <route-map-name> pbr-statistics’ after enabling the ITD process #INSIDE route-map INSIDE_itd_pool pbr-statistics #OUTSIDE route-map OUTSIDE_itd_pool pbr-statistics

ITD Verification – Nexus 7000
‘show itd brief’ displays high level ITD parameters applied to each firewall node. This output uses the ‘firewall on a stick’ topology with 2 ITD processes in the same VDC. DC1-N7K-7(config)# show itd brief Name Probe LB Scheme Interface Status Buckets INSIDE ICMP src-ip Vlan ACTIVE 16 Device Group FW_INSIDE Virtual IP Netmask/Prefix Protocol Port / IP Node IP Config-State Status Track_id Sla_id Active OK Active OK Active OK Active OK Name Probe LB Scheme Interface Status Buckets OUTSIDE ICMP dst-ip Vlan ACTIVE 16 Device Group FW_OUTSIDE Virtual IP Netmask/Prefix Protocol Port / IP Node IP Config-State Status Track_id Sla_id Active OK Active OK Active OK Active OK

‘show itd’ displays ITD parameters applied to each firewall including bucket distribution. Node IP Config-State Status Track_id Sla_id Active OK IP Access List INSIDE_itd_vip_1_bucket_2 INSIDE_itd_vip_1_bucket_6 INSIDE_itd_vip_1_bucket_10 INSIDE_itd_vip_1_bucket_14 Active OK INSIDE_itd_vip_1_bucket_3 INSIDE_itd_vip_1_bucket_7 INSIDE_itd_vip_1_bucket_11 INSIDE_itd_vip_1_bucket_15 Active OK INSIDE_itd_vip_1_bucket_4 INSIDE_itd_vip_1_bucket_8 INSIDE_itd_vip_1_bucket_12 INSIDE_itd_vip_1_bucket_16 DC1-N7K-7# show itd Name Probe LB Scheme Status Buckets INSIDE ICMP src-ip ACTIVE 16 Device Group FW_INSIDE Route Map Interface Status Track_id INSIDE_itd_pool Vlan UP Virtual IP Netmask/Prefix Protocol Port / IP Node IP Config-State Status Track_id Sla_id Active OK IP Access List INSIDE_itd_vip_1_bucket_1 INSIDE_itd_vip_1_bucket_5 INSIDE_itd_vip_1_bucket_9 INSIDE_itd_vip_1_bucket_13

‘show itd’ cont. Node IP Config-State Status Track_id Sla_id Active OK IP Access List OUTSIDE_itd_vip_1_bucket_2 OUTSIDE_itd_vip_1_bucket_6 OUTSIDE_itd_vip_1_bucket_10 OUTSIDE_itd_vip_1_bucket_14 Active OK OUTSIDE_itd_vip_1_bucket_3 OUTSIDE_itd_vip_1_bucket_7 OUTSIDE_itd_vip_1_bucket_11 OUTSIDE_itd_vip_1_bucket_15 Active OK OUTSIDE_itd_vip_1_bucket_4 OUTSIDE_itd_vip_1_bucket_8 OUTSIDE_itd_vip_1_bucket_12 OUTSIDE_itd_vip_1_bucket_16 Name Probe LB Scheme Status Buckets OUTSIDE ICMP dst-ip ACTIVE 16 Device Group FW_OUTSIDE Route Map Interface Status Track_id OUTSIDE_itd_pool Vlan UP Virtual IP Netmask/Prefix Protocol Port / IP Node IP Config-State Status Track_id Sla_id Active OK IP Access List OUTSIDE_itd_vip_1_bucket_1 OUTSIDE_itd_vip_1_bucket_5 OUTSIDE_itd_vip_1_bucket_9 OUTSIDE_itd_vip_1_bucket_13

‘show itd statistics’ – traffic is distributed equally across 4 firewalls using 16 buckets #VDC1 DC1-N7K-7(config)# show itd statistics Service Name INSIDE_TRAFFIC Virtual IP Packets / Device Group FW_INSIDE Node IP Packets IP Access List Packets INSIDE_TRAFFIC_itd_vip_1_bucket_ INSIDE_TRAFFIC_itd_vip_1_bucket_ INSIDE_TRAFFIC_itd_vip_1_bucket_ INSIDE_TRAFFIC_itd_vip_1_bucket_ INSIDE_TRAFFIC_itd_vip_1_bucket_ INSIDE_TRAFFIC_itd_vip_1_bucket_ INSIDE_TRAFFIC_itd_vip_1_bucket_ INSIDE_TRAFFIC_itd_vip_1_bucket_ Node IP Packets IP Access List Packets INSIDE_TRAFFIC_itd_vip_1_bucket_ INSIDE_TRAFFIC_itd_vip_1_bucket_ INSIDE_TRAFFIC_itd_vip_1_bucket_ INSIDE_TRAFFIC_itd_vip_1_bucket_ INSIDE_TRAFFIC_itd_vip_1_bucket_ INSIDE_TRAFFIC_itd_vip_1_bucket_ INSIDE_TRAFFIC_itd_vip_1_bucket_ INSIDE_TRAFFIC_itd_vip_1_bucket_

ITD + ASA 5585-X Configuration Guide

Similar presentations

Presentation on theme: "ITD + ASA 5585-X Configuration Guide"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

ITD + ASA 5585-X Configuration Guide

Similar presentations

Presentation on theme: "ITD + ASA 5585-X Configuration Guide"— Presentation transcript:

Similar presentations

About project

Feedback